Cybercriminals supported by Hezbollah and Iran orchestrated cyberattacks with the intention of eroding public support for the Israel-Hamas conflict during October 2023.
This includes devasting assaults on important Israeli institutions, hack-and-leak schemes aimed at American and Israeli companies, phishing scams intended to get intelligence, and disinformation tactics to sway public opinion against Israel.
As to a recent analysis by Google, about 80% of all government-sponsored phishing attempts targeting Israel in the six months preceding the October 7 assaults originated from Iran.
“Hack-and-leak and information operations remain a key component in these and related threat actors’ efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence,” added Google.
However, another noteworthy aspect of the Israel-Hamas combat is that, in contrast to the Russo-Ukrainian war, it appears that the cyber operations are carried out independently of the kinetic and battlefield activities.
The corporation also stated that such cyber capabilities may be swiftly and more affordably deployed to interact with regional adversaries without resorting to direct military conflict.
It is claimed that GREATRIFT (also known as UNC4453 or Plaid Rain), an Iran-affiliated gang, spread malware through a fictitious “missing persons” website that catered to users looking for information about kidnapped Israelis. Additionally, the threat actor used lure papers with a blood donation theme as a means of distribution.
Wiper malware variants including BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE, and COOLWIPE have been used by at least two hacktivist identities, Handala Hack and Karma, to execute disruptive assaults against Israel and remove files from Linux and Windows computers, respectively.
As part of a phishing effort that was seen in late October and early November 2023, Charming Kitten, another Iranian nation-state hacking outfit (also known as APT42 or CALANQUE), used a PowerShell backdoor named POWERPUG to target media and non-governmental organizations (NGOs).
In addition, POWERPUG is the most recent backdoor added to the adversary’s extensive collection, which also includes PowerLess, BellaCiao, POWERSTAR (also known as GorjolEcho), NokNok, and BASICSTAR.
However, weeks prior to the October 7 assaults, organizations associated with Hamas targeted Israeli software developers with coding assignment spoofs in an effort to trick them into downloading SysJoker malware. A threat actor known as BLACKATOM is said to be behind the effort.
“The attackers […] posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities,” Google stated. “Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry.”
The tech giant characterized the methods used by Hamas cyber operators as straightforward but efficient, pointing out that they employ social engineering to distribute backdoors and trojans for remote access, such as MAGNIFI, to users in Israel and Palestine. This has been connected to BLACKSTEM, also known as Molerats.
The use of spyware on Android phones, which may gather private data and transfer it to infrastructure under the control of an attacker, gives these attacks a new twist.
The actor DESERTVARNISH, associated with Hamas, is responsible for the malware variants MOAAZDROID and LOVELYDROID. The actor is also known by the names Arid Viper, Desert Falcons, Renegade Jackal, and UNC718. Cisco Talos previously published information on the malware in October 2023.
Iranian state-sponsored organizations, including MYSTICDOME (also known as UNC1530), have also been seen utilizing the custom malware SOLODROID for intelligence gathering and the Android remote access trojan MYTHDROID (also known as AhMyth) to target mobile devices in Israel.
The applications have subsequently been removed from the Google Play store. “MYSTICDOME distributed SOLODROID using Firebase projects that 302-redirected users to the Play store, where they were prompted to install the spyware,” the company stated.
Google also brought attention to an Android spyware known as REDRUSE, which exfiltrates contacts, message data, and location. REDRUSE is a trojanized version of the official Red Alert app, which is used in Israel to warn of impending missile assaults. It spread by SMS phishing messages that seemed to be from the police.
Iran has also been affected by the continuous conflict; in December 2023, an actor going by the stage name Gonjeshke Darande (which translates to “Predatory Sparrow” in Persian) destroyed most of the country’s vital infrastructure. It is thought that the Israeli Military Intelligence Directorate is connected to the character.
Microsoft recently disclosed that individuals with ties to the Iranian government have “launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners.” These discoveries follow that revelation.
Google Pixel Phones May Soon Adapt Touch Sensitivity Based on Environment: Report
Google’s assessment that the attacks became “increasingly targeted and destructive and IO campaigns grew increasingly sophisticated and inauthentic” after the war broke out was corroborated by Redmond, who described their early-stage cyber and influence operations as reactive and opportunistic.
In addition to intensifying their attacks and broadening their target beyond Israel to include nations that Iran views as supporting Israel, such as Albania, Bahrain, and the United States, Microsoft claimed to have seen coordination between Iran-affiliated groups like Pink Sandstorm (also known as Agrius) and Hezbollah cyber operations.
Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC), stated that “collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft.”
The U.S. recently conducted a cyberattack against the Iranian military ship MV Behshad, which was gathering intelligence on cargo boats in the Red Sea and the Gulf of Aden, according to an NBC News story from last week.
Recorded Future published an investigation last month that described the management and operations of Iranian cyber personas and front groups through a range of Iranian contracting businesses that conduct information operations and intelligence collection with the goal of “fomenting instability in target countries.”
“While Iranian groups rushed to conduct, or simply fabricate, operations in the early days of the war, Iranian groups have slowed their recent operations allowing them more time to gain desired access or develop more elaborate influence operations,” Microsoft said.
